中文 EN

Scan Report

Scan New Files

This report was generated in Chinese. Some content may be in Chinese.
Low Risk — Risk Score 22/100
Last scan:5 hr ago Rescan
22 /100
clawdoctor
OpenClaw Health Monitor & Fixer - 实时监控、一键修复、安全扫描、Web dashboard
ClawDoctor 是合法的 OpenClaw 健康监控工具,存在轻微文档-行为差异(云端API配置但未启用)和供应链瑕疵(pip无版本锁定),无恶意行为证据。
Skill Nameclawdoctor
Duration48.1s
Enginepi
ClawHub Claw Health v1.0.0 by olveww-dot
📥 157
ClawHub Verdict Suspicious dynamic_code_executionllm_suspicious
Safe to install
可安全使用。建议:(1)明确声明network:READ权限用于本地健康检查 (2)安装脚本中锁定psutil版本

Findings 4 items

Severity Finding Location
Low
SKILL.md 权限声明缺失 Doc Mismatch
SKILL.md未声明任何allowed-tools权限,但代码实际使用subprocess、psutil等工具读取系统状态
Requirements: Python 3.10+, psutil, OpenClaw installed
→ 在SKILL.md的Requirements部分明确声明需要哪些工具权限
 SKILL.md:1
Low
依赖无版本锁定 Supply Chain
install.sh中pip install psutil未指定版本,可能安装到有漏洞的版本
pip3 install psutil --user
→ 修改为: pip3 install psutil>=5.9.0 --user
 install.sh:9
Info
云端功能代码存在但未启用 Doc Mismatch
agent.py配置了https://api.clawdoctor.io/v1/heartbeat,但send_to_cloud()函数被注释,不会实际发送数据
api_endpoint: https://api.clawdoctor.io/v1/heartbeat
→ 删除未使用的云端配置代码,或明确文档说明未来可能的数据收集功能
 agent.py:15
Info
读取本地OpenClaw配置 Sensitive Access
代码读取~/.openclaw/目录下的配置文件和日志用于监控,属于声明范围内的本地操作
config_file = Path.home() / .openclaw / openclaw.json
→ 无需修改,这是监控工具的正常功能
 clawdoctor.py:51
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned clawdoctor.py:51 读取~/.openclaw/配置和日志
Shell NONE READ ✓ Aligned clawdoctor.py:60-64 subprocess调用curl检查Gateway
Network NONE READ ✓ Aligned agent.py:17 配置云端API但未启用; clawdoctor.py:302-305 socket连接8.8.8.8
Database NONE NONE 无数据库操作
1 High 15 findings
📡
High IP Address 硬编码 IP 地址
8.8.8.8
clawdoctor.py:305
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/OpenClaw-Health%20Monitor-blue?style=for-the-badge
README.md:4
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/Python-3.10%2B-green?style=for-the-badge&logo=python&logoColor=white
README.md:5
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-yellow?style=for-the-badge
README.md:6
🔗
Medium External URL 外部 URL
http://127.0.0.1:8080/dashboard.html
README.md:22
🔗
Medium External URL 外部 URL
https://api.clawdoctor.io/v1/heartbeat
agent.py:17
🔗
Medium External URL 外部 URL
http://127.0.0.1:18789/
agent.py:34
🔗
Medium External URL 外部 URL
https://cdn.tailwindcss.com
dashboard.html:7
🔗
Medium External URL 外部 URL
http://127.0.0.1:52691
dashboard.html:199
🔗
Medium External URL 外部 URL
http://127.0.0.1:64144
dashboard_simple.html:183
🔗
Medium External URL 外部 URL
https://checkout.paddle.com/checkout/product/pri_01kkm07e93d54fat920xe9b5rs
payment.html:48
🔗
Medium External URL 外部 URL
https://checkout.paddle.com/checkout/product/pri_01kkm09nvwj9ex7nssjf27kbch
payment.html:70
🔗
Medium External URL 外部 URL
https://checkout.paddle.com/checkout/product/pri_01kkm0bk13cv93jam6nq3tvj88
payment.html:91
🔗
Medium External URL 外部 URL
http://127.0.0.1:
server.py:117
📧
Info Email 邮箱地址
[email protected]
README.md:122

File Tree

16 files · 116.2 KB · 3061 lines
Python 7f · 1563L HTML 3f · 1084L Markdown 4f · 343L JSON 1f · 38L Shell 1f · 33L
├─ 🐍 agent_simple.py Python 84L · 2.5 KB
├─ 🐍 agent_v2.py Python 175L · 6.0 KB
├─ 🐍 agent.py Python 224L · 7.5 KB
├─ 🐍 clawdoctor_simple.py Python 353L · 11.3 KB
├─ 🐍 clawdoctor.py Python 465L · 15.2 KB
├─ 📄 dashboard_simple.html HTML 429L · 21.7 KB
├─ 📄 dashboard.html HTML 526L · 27.4 KB
├─ 🔧 install.sh Shell 33L · 991 B
├─ 📋 package.json JSON 38L · 935 B
├─ 📄 payment.html HTML 129L · 7.4 KB
├─ 📝 README_NEW.md Markdown 135L · 3.3 KB
├─ 📝 README.md Markdown 135L · 3.3 KB
├─ 📝 screenshot-placeholder.md Markdown 6L · 149 B
├─ 🐍 server_simple.py Python 114L · 3.3 KB
├─ 🐍 server.py Python 148L · 4.2 KB
└─ 📝 SKILL.md Markdown 67L · 1.0 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
psutil * pip No 无版本锁定,存在供应链风险但CVSS评分低

Security Positives

✓ 云端数据外传功能被注释,实际不会外传数据
✓ 所有网络操作均为本地127.0.0.1,无公网暴露
✓ 安全扫描功能是防御性的(检查其他技能而非攻击)
✓ 无凭证收割、代码混淆或隐藏指令
✓ 修复功能仅作用于OpenClaw相关进程
✓ 支付页面使用正规Paddle平台